CVE-2025-10353
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-12-11
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| melis_technology | melis_core | * |
| melis_technology | melis_cms | * |
| melis_technology | melis_cms_slider | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-43 | The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the melis-cms-slider module of Melis Platform, where an attacker can upload a malicious file via a POST request to the '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' endpoint using the 'mcsdetail_img' parameter. This file upload flaw can lead to remote code execution (RCE), allowing the attacker to execute arbitrary code on the affected system.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary code remotely on the affected system without any privileges or user interaction. This can lead to full system compromise, data theft, service disruption, or further attacks within the network.